a few days ago, I’ve posted something about “custom RBAC roles for management groups“.
Today I saw a really cool new feature! In the past you’ve created a custom RBAC rule with PowerShell like the following:
Connect-AzAccount Get-AzSubscription Select-AzSubscription -SubscriptionId "" # Subscription ID eintragen. Sample: bb8e13db-cd67-4923-8aea-a4d66b65cf84 $role = (Get-AzRoleDefinition "Owner") $role.Id = $null $role.Name = "Azure.RBAC.CustomRole" $role.Description = "Custom Owner permission. Exlude resource lock delete" $role.Actions.Add("") $role.NotActions.Add("") $role.AssignableScopes.Clear() $role.AssignableScopes.Add("") # Hier den Subscription Scope eintragen Sample: /subscriptions/bb8e13db-cd67-4923-8aea-a4d66b65cf84 New-AzRoleDefinition -Role $role
But right now, it’s possible to create a custom role with the Azure UI. Open the “Access Control IAM”:
and click on “Add”. Now you can find a new preview feature named “Add custom role (preview)”:
Awesome, it’s a really feature!.
Now a wizard is opening and you can select the following:
1.) Basics (Name, Description and Baseline permission)
2.) Permission. In that section you can add but also exclude permissions. The categories are really good designed for my point of view!
3.) Assignable scopes. At the moment it’s not possible to assign the role to a Management Group. @Microsoft please fix that issue.
4.) Finally, you can export the permission template for use in the future, useful for IasC automation!
I love that new preview feature!!!